Build Your Own Membership System For ASP.NET MVC - Part I

Monday, October 1, 2012

Membership Provider Base ClassBuilding a piece of software to manage users is easy, but only if you know exactly what you want. After all, most of the code inside the various existing ASP.NET providers consists of straightforward parameter validation and data access. While this membership code is simple in isolation, there is still value inside the existing providers. The providers have proven themselves in production for thousands of web sites.

Unfortunately, it is difficult to derive value from the existing providers and reuse just the parts you need when building a custom membership solution for an application. The providers entangle a number of responsibilities and require a relational database. This has always been a source of frustration when building YACMP (yet another custom membership provider). My typical approach is to start from scratch by deriving from the abstract MembershipProvider class.

However, starting with the abstract MembershipProvider class doesn’t give me any inherent benefits in an ASP.NET MVC or Web API application. There are no custom controls to drag from the toolbox that will automatically integrate with a custom provider, and other than the Authorize attribute (which works against the roles provider), there is no implicit dependency on Membership.Provider or Roles.Provider, which are the typical static gateways to membership and role features.

There are actually drawbacks to building  custom providers with ASP.NET MVC. The provider model doesn’t easily cooperate with the dependency resolution features of MVC and Web API. Also, the API is a bit dated and doesn’t have the ability to work with OAuth or OpenID.

The solution to the OAuth problem in a new MVC 4 Internet application is to combine a new membership provider (the SimpleMembershipProvider) with some Web Matrix bits (the WebSecurity class) into something that works with OAuth and still allows a user to register locally with a password, but unfortunately still depends on a relational database and is complicated to understand, extend, and debug (search for MVC 4 SimpleMembership and you’ll find more questions on StackOverflow than anything else).

Given that the traditional provider model doesn’t provide many benefits for MVC and WebAPI, what would it look like to build a membership system and not start by deriving from MembershipProvider? That’s the topic for the next post.


Comments
gravatar Konstantin Tarkus Monday, October 1, 2012
If you want to build a custom membership provider, it's good idea to derive it from ExtendedMembershipProvider:

msdn.microsoft.com/...(v=vs.111).aspx

See also: http://www.sitesdk.com/
gravatar Ignacio Fuentes Monday, October 1, 2012
lol, what a tease, Scott.
gravatar friism Monday, October 1, 2012
At AppHarbor, we also started from scratch and our solution is on GitHub: github.com/appharbor/AppHarbor.Web.Security

If you're interested, the relevant blog posts can be found here:
blog.appharbor.com/...
blog.appharbor.com/...
blog.appharbor.com/...
gravatar Yngve Bakken Nilsen Tuesday, October 2, 2012
I tend to go with just a simple IAuthenticationProvider that I inject into my controller. All that is required is Validate(username, password), Login and Logout. The implementation can then get some db-access or similar injected, and you can use FormsAuthentication to set the authcookie.

Every time I start implementing the MembershipProvider class I deeply regret it :)
gravatar tanfolyam Tuesday, October 2, 2012
the whole internet is full of with TypeScript so thank you for this unique harbour today:)
gravatar Jordon Thursday, October 18, 2012
I have been hearing from people that asp.net mvc has full control over traditional asp.net webforms and that is best reason to do programming in asp.net mvc.


Based on this my Question
1) I believe Ado.Net has more/full control over ORM then what is the reason of using ORM, when we believe in having full control of what we are doing...
2) One obvious advantage i can see with ORM is we can switch database (Eg: Oracle to SQL Server) without changing anything in code, but argument is this is big decision and I don't think anyone keep changing their databases so frequently than I don't think it is truly an advantage.
3) RAD development with ORM, but since we want full control it is worth spending time on doing things manually and with defined strategy of doing this we can develop things faster.
4) I have seen in past that Microsoft keep on Recommending so many things and after sometime it comes from microsoft itself that, that is not recommended to use and you should use something else... Is it Microsoft Sales strategy.

Asp.net MVC vs Asp.net Web Form
1) With release of .Net 4.0 we can do almost all the things we can do in asp.net mvc and on top of it we have advantage of RAD when we are doing it with asp.net web forms than what is fun of using asp.net mvc architecture.

- For ViewState, we can turn it off
- For Having full control on HTML, we can generate HTML by dynamically creating controls (By this method we can achieve full control on HTML)
- We have clean seperation of UI vs Code, since in Web Forms we are not using any Code logic
- We have Routing for web forms too so that we can have SEO Friendly URL
- I have also seen that performance is little degraded with asp.net mvc then doing coding with asp.net web forms.
- MVC is just architecture which we can also do in Web Forms
- We can also be TDD compliant with Web Forms
- Almost all things which asp.net mvc have + advantage of RAD and simplicity of web forms than what is reason on switching to asp.net mvc?

I truly don't have any convincing answer which can please me towards this new technology... I have seen lot of people run around the buzz which Microsoft creates, but i truly don't see any added value in this...

To all the experts, could you please point some light and help me in understanding value of investing time and money in this new technologies.
Scott Allen Thursday, October 18, 2012
@Jordan:

1) Not everyone needs full control over the database. Most people want to avoid low level database code.

2) One advantage is a smaller code base. No need to use ADO.NET directly.

3) For RAD development I'd look at Lightswitch

4) Yes, Microsoft kills off more released products than most companies can release products.

Second #1)You can still use WebForms if you like it better.
gravatar Sandy Friday, October 19, 2012
Very knowledgeable things shared over here. Thank you very much. It is too much useful for asp.net developers
gravatar ChandaCohen Saturday, October 20, 2012
Hello,

I just wanted to say that I have been reading for a a couple of days and I would like to sign up for the updated feed.
gravatar Lelala Saturday, October 20, 2012
We've used WebForms for a couple of years and switched one customer to MVC now, and we can state: We will never step back to WebForms, MVC is really nice and i recommend everyone considering taking a look into it.
Regards
Comments are now closed.
by K. Scott Allen K.Scott Allen
My Pluralsight Courses
The Podcast!